Hi Please see attached a copy of your statement for the month of Nov 2015
Sincerely
Lynda Ang

As with many recent ransomware attacks, this appears to have been sent through webmail (it really is from 163.com, it is not being spoofed). Attached is a file Statement.zip which contains a malicious javascript statement.js [pastebin] [VT 7/53] which then downloads a component from:

46.30.45.73/mert.exe

That IP belongs to Eurobyte LLC in Russia. I recommend that you block it.

This is saved as %TEMP%\122487254.exe and it has a VirusTotal detection rate of 5/55 and an MD5 of 68940329224ab93ce4b688df33a9274f. The application's icon and metadata is designed to make it look like a copy of VNC, but instead the VirusTotal detection indicates that it is Cryptowall. This Hybrid Analysis report demonstrates the ransomware in action most clearly.

One unusual characteristic is that it POSTs to a lot of webservers (also listed in these reports [1][2][3]) although I don't know how significant it is. Almost all the domain names being with "A":